Proceedings of the International MultiConference of Engineers and Computer Scientists 2008 Vol I IMECS 2008, 19-21 March, 2008, Hong Kong
Integrating Risk Management with Software Development: State of Practice Jaana Nyfjord and Mira Kajko-Mattsson
Abstract—In this paper, we investigate the state of practice of integrating risk management with software development in 37 software organizations. We do this by using a set of evaluation criteria covering various process integration aspects. Our results recognize that process integration in this domain is still in its infancy. There is a great need for process integration and process integration models within the industry studied. Index Terms—Process model, process integration, agile
I. INTRODUCTION The spiral model, based on a risk-driven and cyclic approach, is one of many suggestions for making software development more effective. Despite the fact that it was already pioneered in 1988 [3], it has been only partially realized. Its cyclic character has been adapted by many current development approaches, such as iterative and agile development. Its risk-driven approach, on the other hand, has not been as influential. Still, development and risk management processes live somewhat isolated lives. Recently however, their integration has become recognized as an important business and development driver [5]. In this paper, we investigate the state of practice of integrating risk management with software development in 37 software organizations. Our goal is threefold: (1) to find out how the industry has integrated risk management with their development processes (2) to identify issues that might aid in improving the integrated process, and (3) to find out the differences between agile and other development approaches. The remainder of this paper is structured as follows. Section 2 describes the research method taken during our study. Section 3 describes our evaluation model. Section 4 presents the status within the organizations studied. Finally, Sections 5 and 6 make concluding remarks and suggestions for future research. II. RESEARCH METHOD This section describes the research method taken during
Manuscript received December 30, 2007. Jaana Nyfjord is with the Department of Computer and Systems Sciences, Stockholm University/Royal Institute of Technology, Forum 100, SE-16440. Kista, Sweden. (Phone: +46-8-162000; fax: +46-8-7039025; e-mail:
[email protected]). Mira Kajko-Mattsson is with the Department of Computer and Systems Sciences, Stockholm University/Royal Institute of Technology, Forum 100, SE-16440. Kista, Sweden. (E-mail:
[email protected]).
ISBN: 978-988-98671-8-8
Figure 1. Our questionnaire
our study. Section II.A lists and describes the research steps. Section II.B discusses the sampling and validity. A. Research Steps As a first step, we determined the evaluation criteria covering various integration aspects. These aspects are described in Section 3. We then created a questionnaire whose questions were based on (1) these criteria, (2) a synthesized risk management process model [10] and (3) a template of risk management information [8]. The questionnaire is described below and presented in Figure 1. In the second step, we interviewed the companies. For this purpose, we used students attending an advanced software engineering course, being part of an international master program. In total, 37 organizations were interviewed. The profiles of the organizations and the roles of the interviewees are presented in Table 1. As can be seen in Figure 1, our questionnaire was open-ended and semi-structured. The purpose was to give
IMECS 2008
Proceedings of the International MultiConference of Engineers and Computer Scientists 2008 Vol I IMECS 2008, 19-21 March, 2008, Hong Kong Table 1. Organizations studied
freedom to respondents to answer in their own terms. Such type of interviewing has a positive effect in a sense that while interviewing, one may elicit more knowledge about the studied domain [13]. Its drawback however is the fact that the interviewer must possess a good understanding of the domain studied, in order to adequately react to irrelevant answers. To optimize the interviews, we assured that each question transitioned smoothly from previous questions [1]. We ordered questions with respect to their ease of understanding the industrial practice. We first asked questions regarding the background of the company and its processes. Then we asked concrete questions regarding risk management in different development process phases. We then continued with questions regarding the process integration practice. This order allowed the interviewers to first understand the industrial practice before going over to the integration aspects. Because we used students in our investigation, we run the risk that some answers might be misunderstood. To avoid misunderstanding, three preventive actions were taken. First, we presented our risk management model in detail to the students[10]. Second, we described the goal of the interview, the questions and the questionnaire design for the students. Detailed directives regarding the expected answers, and possible follow-up questions were also inserted into the questionnaire. Third, each interviewee was asked to provide
ISBN: 978-988-98671-8-8
their name and contact details to allow follow-up questions. Finally, in the third step, we analyzed the results. The data collected by the students was gathered to enable the collective analysis of the status of all the organizations studied. A final list containing the combined status results was then created. The results were discussed and reviewed in order to verify the quality and the findings of this work. B. Sampling and Validity The data sampling method was convenience sampling [12]. This means that we did not control the choice of the organizations involved in our study. It was students who did it. Due to the fact that it is difficult to make organizations show willing for an interview, the students were allowed to choose just any organization (large/medium/small and/or private/ government) in any country. The only requirement was that the organizations studied should have a risk management process in place. Many of our students, coming from an international master program in Sweden, chose organizations in their own countries. Table 1 presents the details of the organizations studied. Due to the sensitivity of the material presented herein, we do not name these organizations. Some of them however are major multinational organizations.
IMECS 2008
Proceedings of the International MultiConference of Engineers and Computer Scientists 2008 Vol I IMECS 2008, 19-21 March, 2008, Hong Kong
Figure 2. Synthesized risk management process model [10]
III. MODEL FOR EVALUATING STATE OF PROCESS INTEGRATION PRACTICE To structure our investigation, we created an evaluation model. This model consists of the following five criteria covering various process aspects: • Organizational levels: Most software organizations conduct their business on various organizational levels [14]. As illustrated in Figure 3, they usually distinguish between Business and Engineering levels [9]. The Business level involves planning of more strategic nature to establish the product vision, while the Engineering level involves realizing that vision by planning and developing the product [9]. Risk management is relevant for both Business and Engineering levels. For this reason, using Questions 12-17, we inquired about the state of conducting risk management for each of these levels and their inherent process phases. • Integration aspects: When integrating processes, one needs to identify appropriate criteria for doing it. Due to the fact that there are very few process integration models regarding this domain, we inquired about the criteria to be used when integrating risk management with software development. So, using Questions 18-20, we wished to find out (a) whether the organizations studied integrated their risk management processes with their development processes,
ISBN: 978-988-98671-8-8
and (b) the criteria they used in this integration. • Integration problems: Problems, successes and failures provide a good platform for evaluating the integration attempts by indicating their deficiencies and strong sides. For this reason, in Questions 21 and 22, we elicited problems, successes and failures of process integration as experienced by the organizations studied. • Importance of process integration: The software industry has an opinion about the importance of integrating risk management with development processes. This opinion should be listened and paid heed to. It may provide indications of the procedures to be enforced or avoided during integration. To find them out, we asked Question 23. • Applicability of risk management in agile context: Due to the fact that agile methods claim to be risk driven [1][4], we wished to hear the industrial point of view about this issue. For this reason, we first presented the synthesized process model (see Figure 2) and a template for managing risk information (see Figure 4) in order to find out about their applicability in an agile context. We did it using Questions 24-26. We then inquired about the differences between the agile and other development approaches with respect to the risk management practice.
IMECS 2008
Proceedings of the International MultiConference of Engineers and Computer Scientists 2008 Vol I IMECS 2008, 19-21 March, 2008, Hong Kong
Figure 3. Organizational levels and agile process phases [9]
IV. INTERVIEW RESULTS This section presents the interview results following the order of the criteria as listed in our evaluation model. A. Organizational Levels Thirty-two out of the 37 studied companies have the Business and Engineering levels. In the remaining five companies, the interviewees were not familiar with the work conducted on the Business level. Twenty-eight out of the 32 companies have a phase corresponding to the Product Vision Planning phase during which they manage risks (see Figure 3). The risks managed at this stage are primarily business and market risks. When managing risks in the Product Vision Planning phase (see Question 13 in Figure 1), the organizations conduct their own risk management processes, mainly by having face-to-face meetings. The stakeholders involved in them are primarily represented by various senior management roles (e.g. CEO, CIO, and CTO) and the roles coming from the business department, such as sales and product managers. Concerning risk management on the Engineering level, thirty-two companies claim that they conduct risk management using their own organizational risk management process models. They claim that the choice of activities, the types of outcomes and the roles involved vary depending on the engineering phase. In the Product Roadmap Planning phase (see Question 15 in Figure 1), the roles involved are mainly represented by various managers (business, product, project), customer, business analysts and requirement engineers. Since it is still a planning activity, the risk management activities conducted herein are Risk Identification and Risk Analysis. They are mainly conducted via meetings or brainstorming sessions. Regarding risk management in the Release Planning phase (see Question 15), it follows the same organizational risk management process as in previous phases. However, some differences were identified with respect to the roles and the risk management process phases. The roles identified in this phase include release managers, technical leaders, team leaders, senior software engineers and QA. The phases identified are Risk Identification, Risk Analysis and Risk Management Planning. There is also a shift of the focus on the types of risks managed in this phase. For instance, as stated by the interviewee of Org 21: “Risks in this phase concern issues such as the stakeholders’ satisfaction with the release plan, and not only the business risks”. Regarding risk management in the Iteration Planning
ISBN: 978-988-98671-8-8
Figure 4. Template for managing risk information [8]
phase (see Question 15), fourteen companies state that they do not conduct Iteration Planning because they use non-iterative development approaches. In the remaining organizations, risk management in the Iteration Planning phase is conducted according to the organizational standards. The differences identified concern the roles involved, the risk management activities, and the types of risks focused on. The roles involved on this level are mainly engineers, represented by system architects, software engineers, testers, system integrators, and other roles. In a majority of the companies having iteration planning, risk management is led by the project manager. Generally, the activities in the Iteration Planning phase cover almost all the risk management phases, including Risk Identification, Risk Analysis, Risk Management Planning, Risk Monitoring and Control and Post-Mortem Analysis. B. Integration Aspects The integration of the software and risk management processes varies within the organizations studied. As illustrated in Figure 5, nineteen companies have integrated their development processes with risk management, six companies have partially integrated them, and another twelve have them as separate processes. In the first group of organizations, risk management directly or indirectly affects the development activities, work products of the planning and execution process phases, and various parameters. It is an ongoing process that is carried out by the team throughout the whole project life cycle. In the next group of companies (six companies), the processes are claimed to be partly integrated. Reasons are varying. For instance: • In Org 20, one runs two separate processes, one for development and one for risk management. These processes have separate process owners. Although, these owners share the responsibility for managing and controlling risks, they still follow different processes for carrying out their work. In Org 4, the degree of process integration depends on the project characteristics. In most of the projects, risk management and development processes are integrated. In large projects having complex risk profiles, one runs a separate risk management process. The reason is the fact that the risk management process requires more resources. When integrating the processes (see Questions 18 and 19
IMECS 2008
Proceedings of the International MultiConference of Engineers and Computer Scientists 2008 Vol I IMECS 2008, 19-21 March, 2008, Hong Kong
Figure 5. State of process integration in 37 software organizations.
in Figure 1), the companies (the nineteen organizations in the first group as identified in Figure 5) mainly use criteria such as activities, resources and roles. These companies suggest that one • assigns resources to the integration effort, • adapts the integration process to the risk type by combining appropriate risk assessment and elimination techniques, • identifies appropriate activities and resources for each risk type, • adapts the risk management process to the project type, and finally, • thoroughly documents information about risks and identifies development phases that may be affected by the risk. Several factors were pointed out to be important to achieve maximal results from process integration (see Question 20). These are: • Establish good communication between the development team and the risk manager (Org 9 and Org 22) • Involve the right people (Org 26 and 31) • Ensure that the people on the team have good collaboration skills (Org 26 and 31) • Determine which roles should do the risk management activities, and decide how they have to cooperate with the other roles (Org 4 and 16). • Assign the right risk management activities to the right development process phase (Org 16). • Make the risk management process flexible to fit the development process model and the project needs (Org 3) • Create risk integration architecture, i.e. a process integration model (Org 33) • Continuously assess the risk management and adapt the risk management process to the status at hand (Org 5, Org 18, 23, 27, 34 and 37) • Balance the processes with each other in order to avoid too much or too little focus on one or the other process (Org 8) • Make the process homogenous. To achieve it, you have to make sure that the risk management and development activities belong to the same process and are treated in the same way (Org 13) • Integrate risk management into the overall development plan (Org 11 and 15). C. Integration Problems Twelve out of the 37 organizations studied claim to have problems with the process integration (see Question 21). The problems identified are the following:
ISBN: 978-988-98671-8-8
• Resource problems o Training cost is too high (Org 22) o Lack of resources to conduct risk management (Org 21 and Org 33) o Lack of time to conduct risk management (Org 11) • Organizational problems (Org 16) o Different roles have different attitudes towards risk and risk management (Org 29) o Lack of competence (Org 10, Org 21 and Org 33) o Work overload for project manager (Org 8) • Scope problems o Lack of control of external risks (Org 35) • Process problems o Lack of process coordination (Org 15) o Lack of process integration (Org 11, 15 and 31) o Lack of plan (Org 11) o Lack of process (Org 31) One organization points out that although integration is important, the success still depends on the project management (Org 8). If the project manager can control the integrated process, it is an advantage. However, if the project manager has not enough time to have an overview of the whole process, a separate risk management process led by some other role can be more useful. The other twenty-five organizations claim that they have no problems at all. However, twelve out of them have not integrated their processes. D. Importance of Process Integration All the organizations claim that the integration of the software development and risk management processes is very important (see Question 23). They motivate this by stating that (a) applying a single process is easier than two different processes, (b) integration makes the risk management process much more effective, (c) risk management can help prevent problems and risks in development, and (d) the organization will produce better software products with lower cost. E. Applicability of Risk Management in Agile Context The answers to the question regarding the usefulness and applicability of our synthesized risk management model (depicted in Figure 2) in agile environment vary between the organizations studied (see Question 24). They are the following: • Sixteen companies state that the model is useful and applicable in agile environments. They claim that risk management is needed in any development model, whether traditional, agile or other. • Eleven companies state that the model is partly applicable in agile environments. It threatens the balance of agility. Hence, it should be adapted to the agile context. Org 13 motivates this with the following: “It goes into too deep details that can violate one of the basic concerns of agile environments, which is to keep software development process low-ceremony. Thus, some of the data need to be refined to fit within the “simplicity” requirement of agile models”. • Four companies claim that the risk management is not useful in agile projects. They motivated it with the following: (1) the risk management model is too complex, (2) the agile model with its iterative approach already has risk
IMECS 2008
Proceedings of the International MultiConference of Engineers and Computer Scientists 2008 Vol I IMECS 2008, 19-21 March, 2008, Hong Kong management by nature. Hence, the need for separate risk management is limited. • Six companies did not respond to this question because they were not familiar with the agile process models. When being asked to go back to our model and to point out the phases that would be considered pivotal for agile projects, (see Question 25), the following phases were pointed out: Risk Identification (17 companies), Risk Analysis (16 companies), Risk Management Planning (15 companies), Risk Monitoring and Control (15 companies), Risk Sign-Off (15 companies), Risk Post-Mortem Analysis (17 companies). Twenty-one out of 37 companies responded to this question explicitly. The remaining companies did not respond to this question because they felt that they were not sufficiently familiar with the agile models. The results of Question 25 indicate that the organizations studied are of the opinion that all the risk management process phases are relevant in an agile context. The organizations, however, had conflicting opinions about them. For instance, whereas 15 organizations identified the Risk Sign-Off phase as important, some voices were raised against it. The motivation was that the Risk Sign-Off phase would hurt the team spirit within an agile team. Formal sign-offs would discourage the team members from collaborating with one another. Concerning the question about the differences between projects using agile and other types of process models (see Question 26), sixteen out of 37 companies claim there are differences in how risk management is carried out in agile versus other projects. Five companies claim there are no differences and sixteen companies did not respond to this question. The differences identified are: • Time aspects: The risk is not exposed until late in the traditional projects. The iterative nature of agile projects allow them to identify risk areas sooner rather than later (Org 27, 31, 36) • Development approach and risk management effort: The iterative development approach minimizes risks and the total risk management effort (Org12 and 37). • Follow-up and control mechanisms: The risk management process activities are conducted sequentially in traditional approaches and usually managed via various documents and formal inspections, whereas risks are managed through other types of controls in agile models, e.g. via the backlog and daily meetings. The team jointly manages issues, risks, and solutions. All of them are communicated, followed-up and controlled continually at the daily and other review meetings rather than via documents as in many traditional approaches (Org 14). • Frequency of risk management: In the agile model, risk management is conducted more frequently than in traditional software process models. The agile cycle is shorter than in other models (Org 10). • Level of process formality: In agile environments, one usually does not have time for managing risks at the same level of detail that is described in traditional risk management models (Org 18).
ISBN: 978-988-98671-8-8
V. CONCLUDING REMARKS In this paper, we have studied the industrial practice of the integration of the software and risk management processes within 37 software organizations. We considered both the traditional and agile development contexts. Our study shows that the majority of the companies conduct risk management on both the Business and Engineering levels. The risk management process however, varies with respect to these levels and their inherent phases. Essentially, different types of risks are managed in different development phases, different types of activities are conducted in these different phases, and there is a shift of roles throughout the phases. Hence, we draw the conclusion that one needs to carefully consider the organizational levels, and their inherent development phases, activities and roles when considering process integration. The majority of the organizations studied have fully or partially integrated their risk management with the software process. They mainly use criteria such as activities, resources and roles to realize the integration. However, the process integration is conducted on an ad hoc basis. The organizations studied have not defined any process integration model. They do not have any model to follow, i.e. a model providing guidelines for how to integrate processes. Hence, we conclude that there is a need to create a process integration model. Our study has also revealed some problems within the industrial process integration. These problems primarily concern organizational issues, people, skills, processes, tools, resources, and knowledge management. These problems constitute an important platform for analyzing and improving the current process integration practice. All the companies studied agree that the integration of risk management with software development is important. They claim that a properly integrated process is a great aid in managing risks effectively. To achieve successful process integration is however a task that is experienced to be very difficult by the organizations studied. We have found that risk management is needed in any development model, whether traditional, agile or other. Although, there are claims that the agile models include risk management by nature, the agile models provide very general guidance for managing risks [6]. Risk management models, on the other hand, provide detailed guidance. In accordance with the majority of the studied organizations, we believe that agile models should be more active in integrating more risk management aspects. It is only in this way, one may make sure that risk management is implemented and run in an effective way. VI. EPILOGUE In this paper we have found out how the industry has integrated risk management with the software development process. Our results show that integration of these two types of processes is still in its infancy and that a lot of work still needs to be conducted. Hence, we suggest that more similar studies be made.
IMECS 2008
Proceedings of the International MultiConference of Engineers and Computer Scientists 2008 Vol I IMECS 2008, 19-21 March, 2008, Hong Kong ACKNOWLEDGMENT Many thanks to the students of the Process for IT Production course at Stockholm University/KTH, who conducted the interviews in 2007. We would also like to thank the 37 anonymous companies that contributed to this study. REFERENCES [1] Beck K., Extreme Programming Explained: Embrace Change. 2nd Ed. Upper Sadle River, NJ, Addison-Wesley, 2004. [2] Biemer P. and Lyberg L., Introduction to Survey Quality. John Wiley & Sons, Hoboken, NJ, 2003. [3] Boehm B., “A Spiral Model of Software Development and Enhancement”, IEEE Computer, Vol. 21 (5), 1988, pp. 61-72. [4] Eclipse Process Framework (EPF), OpenUP Process. URL: http://www.eclipse.org/epf/. Accessed November 2007. [5] IEEE 1540, IEEE 1540 Standard for Lifecycle Processes - Risk Management. IEEE, New York, NY, 2001. [6] Nyfjord J. and Kajko-Mattsson M., “Commonalities in Risk
ISBN: 978-988-98671-8-8
[7] Management and Agile Process Models”. Proceedings of 2nd International Conference on Software Engineering Advances, France, 2007. [8] Nyfjord J. and Kajko-Mattsson M., “Communicating Risk Information in Agile and Traditional Environments”. Procedings of 33rd Euromicro Conference on Software Engineering and Advanced Applications, Germany, 2007. [9] Nyfjord and Kajko-Mattsson, “Degree of Agility in Pre-Implementation Process Phases”. Accepted at the 19th Australian Software Engineering Conference, Australia, March 2008. [10] Nyfjord J. and Kajko-Mattsson M., “Software Risk Management: Practice Contra Standard Models”. Technical Report, Department of Computer and Systems Sciences, Stockholm University/KTH, Sweden, 2008. [11] Project Management Institute, A Guide to the Project Management Body of Knowledge (PMBoK), 3rd Ed. ANSI/PMI 99-001-2004, PMI, Newton Square, PA, 2004. [12] Robson C., Real World Research. Blackwell Publishing, 2002. [13] Walker R., Applied Qualitative Research, Gower Publishing Company Ltd, 1985. [14] Zdravkovic J., Process Integration for the Extended Enterprise. Doctoral Thesis in Computer and Systems Sciences. Royal Institute of Technology, Sweden, 2007.
IMECS 2008
